As long as there is money to be made, ransomware will continue to be a global issue for organizations. Recently, Sophos published a report regarding the state of ransomware for 2022. The company conducted an independent, vendor-agnostic survey of 5,600 IT professionals in mid-sized organizations (including 381 healthcare respondents) across 31 countries. The report revealed that 66% of the healthcare organizations surveyed were compromised by ransomware in the last year – 34% more than 2020. This data means that there was a 94% increase in healthcare ransomware attacks over the course of one year.
Threat actors are becoming more strategic and more capable of executing ransomware attacks at scale. The uptick in ransomware attacks is more than likely due to the continued success of the RaaS model. Quantum ransomware is a newer, lesser-known ransomware that operates with the RaaS model and has been very successful with compromising healthcare organizations.
In the past, threat actors tried to steer clear of attacking the healthcare sector but lately, attackers have dismissed all ethics and morals and are going full force with attacks. Now that threat actors like those behind Quantum ransomware know how vulnerable healthcare organizations are, we can expect many more ransomware attacks for the sector. Let’s take a look at Quantum ransomware, their recent attacks, and why social engineering and phishing are a major threat for healthcare organizations.
Discovered in August 2021, Quantum ransomware is linked to the Quantum Locker operation. Quantum Locker has had a few rebrands (AstroLocker, MountLocker, and XingLocker). Our technology partner, AdvIntel, confirmed that Quantum is a splinter group from Conti and that the ransomware operation was taken over by Conti Team Two in April 2022 – keeping Quantum’s original name.
In June 2022, Quantum was observed employing their version of BazarCall, called Jormungandr, and hiring people who specialized in OSINT, spamming, design, and call center operations. BazarCall is a method that is also known as call-back phishing. This tactic emerged in early 2021 as an attack vector used by Ryuk ransomware (later evolving into Conti).
BazarCall is used to gain initial access into a victim’s network and involves emailing victims. The emails allege that a paid subscription is up for automatic renewal, but the renewal can be cancelled if the victim calls a specific number. Once the victim calls the number, the threat actor on the other end of the line convinces the victim via social engineering to start a remote access session by the use of legitimate software controlled by a network intruder.
While the victim is distracted on the call, the intruder tries to figure out how to compromise the victim’s network without triggering alarms. These kinds of attacks are highly targeted and make it difficult for cyber security professionals to detect due to the social engineering aspect of the attack. AdvIntel believes that the switch to social engineering is more than likely due to the predictability of ransomware attacks, causing profits to decline for adversaries. If threat actors like Quantum are able to trick people, they can have a more flexible approach to their attacks – making them difficult to defend.
Quantum’s BazarCall campaigns have grown more sophisticated in just two months’ time. They’ve impersonated a large number of brands, including:
When Quantum initially emerged, they experimented with BazarCall emails and impersonated Oracle. They delivered phishing emails to more than 200,000 people with the below email language.
Image 1: Fake CrowdStrike Email
Using the same method, Quantum was observed in another phishing operation where they impersonated the Luchechko brand. The threat actors sent a message regarding the company discriminating against an individual based on their ethnicity. Quantum chose Luchechko due to the company being Eastern European, therefore, the victim wouldn’t be suspicious of the threat actor’s accent.
In July 2022, Quantum successfully locked up the network of a New Jersey healthcare system. They exfiltrated data from the organization and demanded $500,000 in ransom in exchange for the data’s return. The healthcare organization is a private, statewide, non-profit behavioral healthcare organization that specializes in treating developmental disabilities and other health conditions.
Additionally, prior to attacking the healthcare organization in New Jersey, Quantum was responsible for attacking Interim Healthcare in July 2022, as well as a research-based biopharmaceutical company in June 2022. Quantum also attacked an IVF clinic based in Delhi, India. The clinic provides IVF and fertility treatments by using cutting edge technology.
As previously stated, Quantum is a merger between Quantum Locker and several members of Conti’s former pentesting group called Conti Team Two. According to AdvIntel, when Conti dissolved, members of the group decided to distance themselves from the toxic Conti brand. The two largest divisions of Conti created their own collectives – Team Two created the current version of Quantum, while Team One created Royal Zeon.
Quantum’s Jormungandr campaign is a major development that Quantum has been preparing for since June 2022. The phishing campaign is a derivative of BazarCall, and initial access is achieved by utilizing IcedID for reconnaissance tasks, as well as persistence. The DFIR Report published a case summary in April 2022 that showed the threat actors entering a victim’s network when a user endpoint was compromised by an IcedID payload contained within an ISO image, likely delivered via email.
According to the DFIR Report, the ISO contained IcedID malware and a LNK shortcut to execute it. After the initial IcedID payload was executed, it only took 2 hours after initial infection for Quantum to begin hands-on-keyboard activity. They then quickly deployed Cobalt Strike and RDP to move across the network before using WMI and PsExec to deploy the Quantum ransomware.
Image 2: IcedID and Cobalt Strike
Source: The DFIR Report
According to Avertium’s Cyber Threat Intelligence Team, ISO file types are a common way of grouping files together, but unlike zipped files, ISO files are mountable, allowing the user to attach the file like a virtual CD and access the files. This also lends itself to malware delivery quite well. In this case docs_invoice_173.iso contained two files, a hidden DLL file, and a LNK file made to look like a document.
Image 3: LINK File Masquerading as a Document
Source: Avertium's Cyber Threat Intelligence Team
Image 4: LINK File
Source: Avertium's Cyber Threat Intelligence Team
Once Quantum gains initial access, Cobalt Strike is injected into the cmd.exe process. AdFind is abused by the threat actors and helps them map out the active directory structure and abuse nslookup to gather network information from hosts. Credentials are then extracted from LSASS memory and tested using WMI discovery.
Next, Quantum copies the ransomware payload, ttsel.exe, followed by the dropping of the ransom note into each infected host with the file name “README_TO_DECRYPT.html”. The ransom note contains a portal to reach out and contact the threat actors for negotiation purposes. Quantum achieves persistence by encrypting files and folders on their victim’s machine. The threat actor’s demanded ransom ranges between $150k and $200k but have been higher for some organizations. The whole process takes less than 4 hours – a very short time-to-ransom.
Image 5: Ransom Note
Source: The DFIR Report
In October 2021, Avertium’s Cyber Threat Intelligence Team published a Threat Intelligence Report regarding the healthcare industry and why the industry is constantly at risk for security incidents. The industry is two to three times more likely to be a target for cybercrime than any other industry. Some ransomware gangs try not to focus on attacking healthcare facilities, but Quantum is not one of those groups.
Quantum’s use of social engineering is quite disturbing because it’s difficult to track. By using social engineering and pretending to be legitimate organizations, Quantum has been able to breach and ransom several high-profile organizations. Social engineering is a major threat to the healthcare sector because healthcare organizations house sensitive information for patients (dates of birth, social security numbers, addresses, etc.).
According to Avertium’s blog on phishing, phishing attacks are often a vessel to deliver malware that masquerades as a communication from a trusted or reputable source. Although Quantum now uses call-back phishing, they have also used email phishing in their social engineering attacks.
Phishing attacks can come in the form of an email, a phone call, or a text message (smishing) – with the most common vehicle being through email. A phishing attack email typically looks or sounds like it’s from a company or someone within your organization. The threat actor behind the attack will ask for privileged information’s or provide a link to an attachment which results in you downloading something malicious.
Social engineering is included in all kinds of phishing attacks and involves threat actors researching companies or individuals prior to the attack. The goal is to get the victim to trust the threat actor by providing a lot of convincing information about the victim – something Quantum seems to have mastered. Quantum takes advantage of core human psychology to manipulate people into doing exactly what they want.
If threat actors like Quantum are able to successfully breach healthcare organizations via social engineering, they will be able to gain access to data that could cripple an organization. Clinics, hospitals, and healthcare systems possess a high volume of patient and employee information. The information could be used for a verity of illicit activities including financial fraud and for other activities within Quantum’s social engineering campaigns.
It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium offers the following services to keep your organization safe:
Avertium and AdvIntel recommend the following to mitigate Quantum ransomware:
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.